(HelpNetSecurity) Large enterprises have a major problem when it comes to preparing for the advent of quantum computing: few, if any, have a working knowledge of all the locations where cryptographic keys are being stored and used across applications, browsers, platforms, files and modules, as well as being shared with third parties and vendors.
The lack of urgency concerning cryptography is one of most significant problems facing most enterprises as they consider what steps they should be taking to survive in a post-quantum world. With Y2K, for instance, the deadline to revamp systems with two-digit date codes was obvious. That’s not the case here – the timeline is anything but certain. It could happen in two or three years or it might happen in 10-15 years, or it might never happen. At the current rate of advancement, most experts expect that functional quantum computers capable of breaking current-grade cryptography such as RSA will arrive within the next 10 years. Maybe. Or maybe not.
Yet in the 40 years that asymmetric encryption technology has been in use, there has never be a threat to cryptography of this scale. There will be massive upheaval and disruption.
A practical approach – and one that business leaders will more likely find acceptable – is to focus on understanding the exposure to your more important, business-critical set of applications. For example, if you’re a bank, what systems do you have that allow you to operate daily as a bank? You’re not going to care about an employee website that sells Disneyland tickets. You need a list of all the systems and algorithms is important for other security controls and standards as well as knowing where your risks are.
Despite the uncertainty surrounding the arrival of quantum computing, sitting back and waiting for the sky to fall is a sure recipe for disaster. Avoid the worst-case scenario by at least documenting how your organization uses cryptography across all business-critical systems.